Secure enterprise apps
You can use app wrapping and the app SDK to implement MaaS360® Application Security on your enterprise apps.
App wrapping and the app SDK work great for apps that are developed for your enterprise. You control your app development plan and strategy, and also control your artifacts for wrapping and signing. Even apps that are developed by another company can be wrapped and signed with your code signing certificate.
App wrapping
App wrapping unwraps the app, injects MaaS360 container security code, and rewraps the entire package. This process occurs automatically by MaaS360 after the app is uploaded to the IBM® MaaS360 Portal and the administrator selects the App Wrapping option.
To rewrap your app, MaaS360 needs the following platform-specific artifacts for packaging and signing apps:
- iOS: iOS provisioning profile, code signing certificate, and credentials
- Android: Keystore file, keystore alias name, and credentials
Because you need these artifacts, you can wrap only enterprise and native apps. Public, third-party apps cannot be wrapped because third-party app developers do not usually share their code signing certificates and credentials to rewrap their app.
App wrapping summary
- MaaS360 adds a security layer to enterprise apps (iOS and Android) by injecting code and rewrapping the apps.
- Requires no code changes by the developer. The security layer is automatically added by MaaS360 on-demand.
- Requires code signing certificates, and keystore credentials to sign the app after the code injection.
- Supports private, enterprise, native, and hybrid apps.
App SDK integration
For app SDK integration, the MaaS360 App Security Software Development Kit (SDK) is used in the app code during the development process. You have more flexibility and control on how the app security features work in your app. App SDK integration provides the same features as app wrapping, plus some additional features.
The following diagram outlines the app SDK integration process:
App SDK integration summary
- Requires app developers to integrate the MaaS360 App Security SDK during app development.
- Offers granular controls over security features.
- Offers more APIs than app wrapping (for example, you can fetch MaaS360 user and device data for apps to use).
- Supports both native and hybrid apps.
| Feature name | Feature description | Benefit | iOS Native SDK | iOS Cordova SDK | Android Native SDK | Android Cordova SDK | iOS Wrapping ** | Android Wrapping ** |
|---|---|---|---|---|---|---|---|---|
| Get user and device information | Allows the SDK to obtain information about the device and user that includes Device UDID, MaaS360 Device ID, User name, Access Groups, Email Address, Compliance Status, and Out of Compliance reasons (if applicable). | Provides unique identification details about the user and the device. | Yes | Yes | Yes | Yes | N/A | N/A |
| Single sign-on. Access control across apps | Allows the user to use a single PIN to access any app that is built by the same developer. | Users sign on with a simple container PIN and stay logged in until the login time lapses. | Yes | Yes | Yes | Yes | Yes | Yes |
| User custom attribute support | Allows custom user-level attributes to be defined and propagated to the app. | Enterprises define custom attributes for users that are used across apps. | Yes (Note A ) |
Yes (Note A ) |
Yes | Yes | ||
| Shared device support | Allows the user to access the app only when the user is signed in, and prevents the user from accessing the app when the user is signed out. | Makes sure that data is secure when multiple users share a single device. | Yes (Note B ) |
Yes (Note B ) |
Yes | Yes | Yes |
| Feature name | Feature description | Benefit | iOS Native SDK | iOS Cordova SDK | Android Native SDK | Android Cordova SDK | iOS Wrapping ** | Android Wrapping ** |
|---|---|---|---|---|---|---|---|---|
| Compliance enforcement | Sets up policies for user and device compliance and enforces restrictions on apps for non-compliant devices. | Detects user and device compliance events and automatically enforces restrictions on apps, such as blocking user access to an app. | Yes | Yes | Yes | Yes (Note C ) |
Yes (Note D ) |
Yes |
| Location and time-based policies | Defines location and time boundaries for using an app. | Allows or blocks users from accessing an app based on time and location. | Yes | Yes | Yes | |||
| Restrict access on jailbreak | Detects jail-broken devices and restricts user access to an app. These APIs are enforced automatically by the app SDK or the SDK provides the delegate call backs on these events for the app to implement. | Detects jailbreaks and immediately restricts the user from accessing an app. | Yes | Yes | Yes | Yes (Note C ) |
Yes | Yes |
| Restrict access after long periods of inactivity | These APIs are enforced automatically by the app SDK or the SDK provides the delegate call backs on these events for the app to implement. | Enforces authentication to an app after a specified login period expires. | Yes | Yes | Yes | Yes | Yes | Yes |
| Restrict access on selective wipe | These APIs are enforced automatically by the app SDK or the SDK provides the delegate call backs on these events for the app to implement. | Sends an alert when the admin starts a selective wipe to protect or delete corporate data within the app. | Yes | Yes | Yes | Yes (Note C ) |
Yes | Yes |
| Feature name | Feature description | Benefit | iOS Native SDK | iOS Cordova SDK | Android Native SDK | Android Cordova SDK | iOS Wrapping ** | Android Wrapping ** |
|---|---|---|---|---|---|---|---|---|
| Data at rest encryption | Enforces maximum security for the app data at rest. | Encrypts the app data for more security. Encrypts the metadata for the app, the app database, and all the files that are in use for the app. | Yes | Yes (Note E ) |
Yes | Yes (Note F ) |
Yes | Yes |
| Advanced encryption handling | Encrypts an app that uses a container PIN. | Provides simpler key handling for encryption. | Yes | Yes | Yes | Yes | Yes | |
| Encrypted inter-app data transfer with MaaS360 | Encrypts and transfers data between MaaS360 and the app securely without the possibility of man-in-the-middle attacks. | Encrypts data while in transit between MaaS360 and the apps on the device. | Yes | Yes | Yes | Yes | Yes | |
| Restrict cut, copy, or paste | Allows cut, copy, or paste only within the set of containerized apps. | Restricts the user from copy or pasting documents from within the container to a personal app. | Yes | Yes | Yes | Yes (Note G ) |
Yes | Yes |
| Restrict screenshot | Restricts the user from taking a screen capture of the device. | Protects sensitive data from leaking through screen captures. | N/A (Note H ) |
N/A | Yes | Yes (Note J ) |
N/A (Note H ) |
Yes |
| Restrict import from camera or gallery | Restricts the user from using the camera or importing images from the Gallery into the app. | Isolates work apps from personal images and data. | Yes | Yes | Yes | |||
| Restrict import from SD card | Restricts the user from importing content from the SD card into the app. | Isolates work apps from extraneous content that is stored on the SD card. | N/A | N/A | Yes | |||
| Restrict file import | Restricts the importing of files from other apps into the containerized app. | Prevents users from importing non-work related documents into the containerized app. | Yes | Yes | Yes | |||
| Filter notifications if container is locked | Prohibits notification messages from the app when the container is locked, preventing data leakage. | Blocks sensitive notification messages from displaying on the screen if the container is locked. These notifications are displayed when the user unlocks the container. | Yes | Yes | Yes | |||
| Allow file import from set of allowed apps | Allows the importing of files from a select list of allowed apps, as defined in the policy. | Allows users to import documents from a select list of trusted apps into the containerized app. | Yes | Yes | ||||
| Restrict file export | Restricts the exporting of files to allowed apps only. (The SDK provides a separate interaction controller to handle this action.) |
Prevents the leakage of files and allows files to be opened in a set of allowed and containerized applications. Users cannot export files to other apps. | Yes | Yes | Yes | Yes (Note J ) |
Yes | Yes |
| Restrict printing | Restricts the printing of files, if enabled. | Prevents leakage of data from printing. Users cannot print from the wrapped app. | Yes | Yes | Yes | Yes | Yes | Yes |
| Certificate pinning | Validates that the trusted CA public certificates match with certificates that are pinned by the app. | Protects apps from certificates that are fraudulent. | Yes | Yes | Yes |
| Feature name | Feature description | Benefit | iOS Native SDK | iOS Cordova SDK | Android Native SDK | Android Cordova SDK | iOS Wrapping ** | Android Wrapping ** |
|---|---|---|---|---|---|---|---|---|
| Per-app VPN | Establishes the gateway access for the app to access resources behind the corporate firewall. | Provides app-level intranet access without a device-level VPN. Encrypts data in motion. Reduces VPN traffic since only corporate apps fetch data through the gateway, while all personal apps directly access the internet. | Yes | Yes | Yes | Yes | Yes | Yes |
| Regional gateway support for per-app VPN | Uses a regional MaaS360 gateway for the per-app VPN based on the geographic location of the user. | Allows users to access data faster due to reduced network latency. | Yes | Yes | Yes | Yes | Yes | Yes |
| Corporate Network Detect | Uses direct access and skips the per-app VPN in the corporate network. | Allows users to access data faster through direct access to corporate resources while in the corporate network. | Yes | Yes | Yes | Yes | ||
| Identity Certificate for direct gateway | Allows Identity Certificate validation by a load balancer during SSL negotiations. | Validates an identity certificate from the device by using a direct gateway setup with a load balancer. | Yes | Yes | Yes |
| Feature name | Feature description | Benefit | iOS Native SDK | iOS Cordova SDK | Android Native SDK | Android Cordova SDK | iOS Wrapping ** | Android Wrapping ** |
|---|---|---|---|---|---|---|---|---|
| App configuration | A configuration file with required inputs is passed from MaaS360 and delivered securely to the app. | Provides a better user experience because the app is preconfigured. | Yes | Yes | Yes | Yes | N/A | N/A |
| App authenticity | Validates the app signature before an app accesses the MaaS360 container. | Makes sure that tampered or malicious apps do not gain access to the container. | Yes | Yes | Yes |
| Feature name | Feature description | Benefit | iOS Native SDK | iOS Cordova SDK | Android Native SDK | Android Cordova SDK | iOS Wrapping ** | Android Wrapping ** |
|---|---|---|---|---|---|---|---|---|
| Send MaaS360 email | Provides an interaction controller that is used to send email through MaaS360 Secure Mail with or without attachments. | Allow users to send email from your app with MaaS360 Secure Mail. | Yes | Yes | Yes | Yes | N/A | N/A |
| Open document directly in Secure Viewer | Provides the option for developers to open documents directly in the Secure Viewer, since Android does not provide a viewer. | Enables developers to easily provide document views within apps that use the MaaS360 SDK. | N/A | N/A | Yes | Yes | N/A | Yes |
| Save documents in MaaS360 app | Provides an interaction controller for the app to allow users to save the document securely in the MaaS360 app. | Users can save documents from any app into the My Docs section of the container. | Yes | Yes | Yes | Yes | N/A | N/A |
| Open links in MaaS360 Secure Browser | Allows users to open links from apps in the MaaS360 Secure Browser. | Users are directed to the MaaS360 Secure Browser to open URLs present in apps, including intranet sites without a device-level VPN. | Yes | Yes | Yes | Yes | ||
| Browse in MaaS360 Docs | Provides an interaction controller for the app to allow users to browse documents securely from MaaS360 Docs. | User can browse documents in MaaS360 Docs from any app securely. | Yes | Yes | Yes | |||
| Edit documents in MaaS360 Secure Editor | Provides an interaction controller for the app to allow users to edit the document securely in the MaaS360 Secure Editor. The SDK handles the transfer of the document to the editor and handles the receiving of the document from the editor when the edit is complete. | Allows users to edit a document directly inside the container by using the MaaS360 Secure Editor. | Yes | Yes | Yes | Yes | Yes |
| Note | Description |
|---|---|
| A | Can be used with app configuration |
| B | Requires app reconfiguration |
| C | Selective Wipe action by MaaS360 app only. No delegate call backs. |
| D | Only for selective wipe events |
| E | Provided by iOS. JSON database encrypted by Worklight. |
| F | Files and text encrypted by MaaS360. JSON database encrypted by Worklight. |
| G | By extending the MaaS360WLDroidGap class |
| H | Available by using MDM |
| J | By extending the MaaS360WLDroidGap class |
| N/A | Not possible or made available by the OS |
| ** | Wrapping support for iOS Cordova-based apps is at parity with SDK-integrated apps, while wrapping is not currently supported for Android Cordova-based apps. |